How to Botch a Security Vulnerability Discovery – WooThemes Case Study
Yesterday, Jason Gill disclosed a bug in the WooThemes WooFramework that allows any website visitor to run and see the output of any shortcode.
WooThemes is a popular WordPress theme maker that is used by thousands of websites. If you have a website powered by WooThemes, please update to the latest version right away.
This gives unauthenticated visitors the same power to execute code on the server as regular publishers have. WordPress installations with unsecured shortcodes (such as [php] which allows raw PHP code to be run) are vulnerable to serious attacks if WooThemes are installed, even if they are not the selected theme for the site.
It would be trivial to identify common insecure shortcodes and then attempt them against common WooThemes to attempt to run malicious code on the remote server.”
Jason goes on to say:
This is only “half” of the equation. I have already seen numerous hosting accounts compromised via a more malicious form of this attack which I have not published. In fact, finding a number of sites running WooThemes all compromised in the past 4 days via the contents of shortcode-generator/ lead me to take a quick look through the code to try to find the attack vector and I found this.
The response from the WooThemes folks to this security vulnerability was less than stellar. This is a case study into the mistakes made by WooThemes during this incident that should hopefully serve as a model for what not to do.
WooThemes Case Study
Mistake #1: Not providing a clear way to be contacted
After Jason disclosed this security vulnerability many people chastised him for doing so publicly, instead of privately contacting WooThemes. And while I agree with those sentiments, Jason points out that he searched for a security notice email address and didn’t find one. He added, “Even as a paying customer the only way to get support is via their public forum.”
In all fairness to WooThemes, I found this post providing customers with the firstname.lastname@example.org and email@example.com email addresses. They also seem to be very responsive via their Twitter account. So, although maybe not ideal forms of reporting a security vulnerability, there were ways to contact them privately to at least initiate the discussion. Now, I don’t know if Jason attempted these options first, and simply received no response.
In any event, the point is that although the above support email addresses are available, WooThemes must not have presented them in a way that a person smart enough to discover a security vulnerability could find. This should have been clearly spelled out on their website.
Mistake #2: Quietly releasing a patch to a security vulnerability
This is by far the most egregious mistake. According to the WooThemes folks, they had already fixed the bug and released an update by the time Jason publicly disclosed it.
However, it appears that they neglected to announce this new update to their customers, which meant that many of them continued to use the vulnerable version. I found no mention of the update or details about the security vulnerability on the WooThemes blog. And they apparently neglected to alert their customers via email as well.
What’s the point of patching a security bug if you don’t inform your customers? If they are unaware of the need to update they are unlikely to do so. That helps no one.
Jason points to a single tweet made at 5:30am by WooThemes as the only announcement made to customers about the need to update. “We found a minor vulnerability in the WooFramework, which we’ve just fixed. Please update to the latest version ASAP!” However, that tweet pre-dates the date WooThemes claims the patch for this security bug was released. So, it’s highly unlikely that tweet was related to this security patch.[blackbirdpie url=”https://twitter.com/#!/woothemes/status/192545687051829248″]
I don’t know why they neglected to inform customers about this. Maybe it was a simple oversight. Maybe it was intentional in the hopes that no one would notice. I don’t know. But the reason doesn’t really matter. What matters is that it happened, and the impression it gives current and potential customers about their security practices.
Mistake #3: Relying on their broken auto-updater
There’s no excuse for not alerting their existing customers of this security patch. However, their excuse seems to be that they rely on their auto-updater to push the updates to their customers. This is a flawed idea.
First of all, this requires their customers to 1) happen to log in to WordPress, and 2) care enough to install the update right away. This puts all the burden on their customers. This procedure may be fine for non-security related updates, but for critical security patches a business needs to be more proactive.
In fairness, usually it is the end user’s responsibility to install software updates. However, reputable businesses will inform their customers, as well as the general public, when a security update is released, what security issue it is fixing, and the severity of the vulnerability.
If people are unaware what the update is for, there is no urgency. Software updates sometimes break existing functionality. Therefore, unless it’s security related, there are those that don’t install updates right away.
“Additionally, even if the issue is patched, my link above still works – which means that the patch clearly isn’t working or hasn’t been applied to WooThemes own servers.”
Secondly, it just so happened that their auto-updater was broken during this time, and was not properly pushing out the updates. So, even if you did log in to WordPress (and usually install non-critical updates in a timely fashion) you would not have seen this update available.
The Perfect Storm
All of these mistakes combined, plus the fact that WooThemes’ servers have been under a DDoS attack for over twelve hours now is making for a very unpleasant time for the WooThemes folks.
The good news is that this has surely been such a trying time for them that they are unlikely to repeat these mistakes again. That means:
- Having a clear way for people to privately report security vulnerabilities.
- Promptly informing their customers when a security patch is available.
- Ensuring their updates are available to all customers.
Jason sums it up well:
The moral of this story is: WooThemes is a great company and makes a great product, but they have grown to the point where security needs to be a real concern. A proper channel to alert them of these issues, along with prompt and honest email notifications of updates to their customers (free and paid), and a publicly-accessible security/updates site (a la RedHat’s RHSA system) are all long overdue. This isn’t just a jab at WooThemes either – a review of almost any paid or free theme will surely come up with many issues like this.
What security lessons have you learned from your mistakes?